| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>January 2016 PageSpeed Security Update.</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>January 2016 PageSpeed Security Update.</h1> |
| <h2 id="overview">Overview</h2> |
| <p>All released versions of PageSpeed are subject to HTTPS-fetching |
| vulnerability, CVE-2016-2092. This permits a hostile third party who can |
| man-in-the-middle the connection between PageSpeed and an HTTPS server to |
| substitute arbitrary content in responses. This could allow the attacker to |
| execute JavaScript in users' browsers in context of the domain running |
| PageSpeed, which could permit theft of users' cookies or data on the site. |
| </p> |
| |
| <p>To be notified of further security updates subscribe to the |
| <a href="mailing-lists#announcements">announcements mailing list</a>. |
| |
| <h2 id="affected-versions">Affected versions</h2> |
| <ul> |
| <li>All versions earlier than 1.9.</li> |
| <li>Versions 1.9.32.0 – 1.9.33.12 (fixed in 1.9.32.13).</li> |
| <li>Versions 1.10.33.0 – 1.10.33.3 (fixed in 1.10.33.4).</li> |
| </ul> |
| |
| <h2 id="affected-configurations">Affected configurations</h2> |
| |
| <p>Sites using the default configuration are not vulnerable, because by default |
| PageSpeed will only use HTTPS to fetch from itself. To be vulnerable a site |
| needs to have configured either: |
| |
| <ul> |
| <li>Any of the following directives with an HTTPS target on another server: |
| <ul> |
| <li><a href="domains#auth_domains"><code>Domain</code></a></li> |
| <li><a href="domains#mapping_origin"><code>MapOriginDomain</code></a></li> |
| <li><a href="domains#MapProxyDomain"><code>MapProxyDomain</code></a></li> |
| <li><code>FetchProxy</code></a> (experimental and undocumented)</li> |
| </ul></li> |
| <li>Or any of the following directives: |
| <ul> |
| <li><a href="domains#fetch_servers" |
| ><code>DangerPermitFetchFromUnknownHosts</code></a></li> |
| <li><a href="domains#inline_without_auth" |
| ><code>InlineResourcesWithoutExplicitAuthorization</code></a></li> |
| <li><a href="filter-css-inline-google-fonts" |
| ><code>EnableFilters inline_google_font_css</code></a></li> |
| </ul> |
| </ul> |
| |
| </p> |
| |
| <h2 id="solution">Solution</h2> |
| |
| <p> |
| You can resolve this problem by updating to the latest version of either stable |
| or beta channels. |
| </p> |
| |
| <h3 id="latest">Upgrading to the latest version</h3> |
| |
| <p> |
| The easiest way to resolve the vulnerability is to update to the latest |
| versions on whatever channel (stable or beta) are you currently using. |
| </p> |
| |
| <p>If you installed the .rpm package, you can update with: |
| <pre> |
| sudo yum update |
| sudo /etc/init.d/httpd restart |
| </pre> |
| |
| <p>If you installed the .deb package, you can update with: |
| <pre> |
| sudo apt-get update |
| sudo apt-get upgrade |
| sudo /etc/init.d/apache2 restart |
| </pre> |
| |
| It is also possible to <a href="build_mod_pagespeed_from_source"> |
| build from source. </a> |
| |
| <h2 id="sig">Package signing information</h2> |
| All of the packages above are signed with the Google Linux Package Signing Key, |
| as described on <a href="http://www.google.com/linuxrepositories/"> |
| http://www.google.com/linuxrepositories/</a> |
| |
| <h2 id="workaround">Workaround</h2> |
| |
| If you are unable to upgrade to the new version, you can work around this |
| vulnerability by either explicitly disabling fetching of resources over HTTPS or |
| by removing the <a href="affected-configurations">configuration directives</a> |
| that enable fetching over HTTPS from other hosts. |
| |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |